Providing practical examples since 1998

Things look quiet here. But I've been doing a lot of blogging at
dan.langille.org because I prefer WordPress now.
Not all my posts there are FreeBSD related.
I am in the midst of migrating The FreeBSD Diary over to WordPress
(and you can read about that here).
Once the migration is completed, I'll move the FreeBSD posts into the
new FreeBSD Diary website.

In this article, I write about creating your own Certificate Authority
(CA) and generating certificates and keys for an OpenVPN server and
multiple clients. It is based around the the OpenVPN How To
and the README provided with that package.

There is an abundance of material for creating a CA. Why bother?
I bother because getting this right is easy. It's easy if you
know the goals and how to accomplish them. However, getting there
is often trial and error. I don't want to do the error bit the
next time I need to do this. The added bonus is neither do you.
You can use these steps.

Why use your own CA? Creating your own CA means that you have complete
control. You do not have to obtain certificates from third parties. You
can create them yourself, when you need them. I also have a fuzzy impression
that if your OpenVPN server uses a certificate from a third party CA, then
anyone else with a corticate from that CA can also connect.

The steps below are designed to give you:

a certificate for your OpenVPN server

that certificate will be designated as a server-only certificate

certificates for each OpenVPN client

In addition, and this part is important, the OpenVPN server certificate
will be designated as a server-only certificate by setting nsCertType=server.
This will avoid a possible Man-in-the-Middle attack where an authorized
client tries to connect to another client by impersonating the
server.

NOTE: we will building and signing a certificate signing request using
a locally installed root certificate/key. This requires that the generated
certificate and private key files be copied to the destination host over a
secure channel.

The previous paragraph blatantly borrowed from the README.

If you cannot securely copy these files, do not use these steps. Instead,
use the steps under "BUILD A CERTIFICATE SIGNING REQUEST" in the README
followed by "SIGN A CERTIFICATE SIGNING REQUEST".

The tools

The FreeBSD Port for OpenVPN
installs "a small RSA key management package based on the openssl command line tool".
This package is provided by the OpenVPN project and can be found at
/usr/local/share/doc/openvpn/easy-rsa/.

I recommend copying this to another location as you will be altering some
files.

cp -rp /usr/local/share/doc/openvpn/easy-rsa ~/
cd ~/easy-rsa

This article is based upon the README located in that directory. And upon a
few hours of not understanding the subtle steps involved.

The setup

The README says to edit vars and set KEY_SIZE and KEY_DIR. I left
them unchanged. This puts the keys into the keys sub-directory.

You need to invoke the vars file before carrying out any of the remaining
steps. You only need to invoke vars once per session. You will know
that you have not invoked vars this session if you see this message:

you must define KEY_DIR

To invoke the vars, issue this command (the leading . is significant):

. vars

If you see this error:

$ . ./vars
-bash: /home/dan/easy-rsa/2.0/whichopensslcnf: Permission denied
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/dan/easy-rsa/2.0/keys

When first starting out with your CA, you need to run this command. Note that
it will remove the keys subdirectory along with any keys that you have
created. Use with caution. This command sets up some variables used by
later processed.

./clean-all

Create your CA

To create your CA, issue this command (the bits I typed are in bold):

$ ./build-ca
Generating a 1024 bit RSA private key
..........................++++++
......................................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [PA]:
Locality Name (eg, city) [Warrington]:
Organization Name (eg, company) [The FreeBSD Diary]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address [dan@example.org]:

After the above, ca.crt and ca.key have been built in your KEY_DIR directory:

In this step, we will create the certificate for your OpenVPN server.
The build-key-server command will ensure the certificate is
designated as a server-only certificate by setting nsCertType=server.
This solution for that type of attack
relies upon you using this line in your client openvpn.conf configuration
files:

ns-cert-type server

This certificate will be used on your OpenVPN server, which in my example,
is named myserver.example.com.
To create a nsCertType=server certificate for your OpenVPN server, issue
the following command:

$ ./build-key-server myserver.example.com
Generating a 1024 bit RSA private key
........++++++
........................................++++++
writing new private key to 'myserver.example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [PA]:
Locality Name (eg, city) [Warrington]:
Organization Name (eg, company) [The FreeBSD Diary]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:myserver.example.com
Email Address [dan@example.org]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/dan/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'PA'
localityName :PRINTABLE:'Warrington'
organizationName :PRINTABLE:'The FreeBSD Diary'
commonName :PRINTABLE:'myserver.example.com'
emailAddress :IA5STRING:'dan@example.org'
Certificate is to be certified until Nov 25 19:19:09 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

This will create a file (keys/dh1024.pem) which will be used on
your OpenVPN server.

Create a client certificate

This step will create a certificate that can be used by your OpenVPN client.
In this case, we are creating a certificate to be used by the host
client.example.com.

./build-key client.example.com
Generating a 1024 bit RSA private key
.++++++
...++++++
writing new private key to 'client.example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [PA]:
Locality Name (eg, city) [Warrington]:
Organization Name (eg, company) [The FreeBSD Diary]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:client.example.com
Email Address [dan@example.org]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/dan/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'PA'
localityName :PRINTABLE:'Warrington'
organizationName :PRINTABLE:'The FreeBSD Diary'
commonName :PRINTABLE:'client.example.com'
emailAddress :IA5STRING:'dan@example.org'
Certificate is to be certified until Nov 25 19:49:36 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Repeat

I suggest you get things running with one client first, then create
certificates for other client.